Gina Sanders - stock.adobe.com
Legacy SonicWall kit exploited in ransom campaign
Users of older versions of SonicWall Secure Mobile Access 100 and Secure Remote Access products are at risk from a new ransomware campaign
Network security specialist SonicWall has told users of two legacy products running unpatched and end-of-life firmware to take immediate and urgent action to head off an “imminent” ransomware campaign.
The affected products are SonicWall’s Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) running version 8.x of the relevant firmware. The threat actors behind the campaign are using stolen credentials and exploiting a known vulnerability that has been patched in more recent versions.
“Organisations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA and SMA 100 series products are at imminent risk of a targeted ransomware attack,” SonicWall said in a disclosure notice. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk.”
Users of SonicWall SRA 4600/1600, SRA 4200/1200, and SSL-VPN 200/2000/400, which have all entered end-of-life status over the past few years, should disconnect their devices immediately and reset their passwords because no fix is coming.
Those using SMA 400/200, which is still supported in limited retirement mode, should update to version 10.2.0.7-34 or 9.0.0.10 immediately, reset passwords and enable multifactor authentication (MFA)
Also, those running SMA 210/410/500v with firmware versions 9.x and 10.x should update to 9.0.0.10-28sv or later, and 10.2.0.7-34sv or later.
For those devices that are past the point where mitigation is possible, SonicWall is offering a complimentary virtual SMA 500v until 31 October this year, to give customers time to transition to a supported product.
Vectra AI president and CEO Hitesh Sheth said: “Give credit to SonicWall here, but the digital world is rife with these kinds of vulnerabilities. Most are uncatalogued. And we’ll never run them all down this way, because the infrastructure is so dynamic and attack vectors naturally multiply.
“That hard truth means we’re going to win this battle – and it will be won – working inside targeted systems. When breaches are statistically inevitable, only ruthless and rapid breach detection heads off serious damage.”
Ian Porteous, Check Point’s regional director of security engineering for the UK and Ireland, added: “This aligns with a recent trend of ransomware attacks and shows us again that the cyber crime actors behind these ransomware attacks are very agile, always looking for new tricks and techniques that will allow them to carry out their malicious deeds.”
The identity of the threat actors behind the ransomware campaign has not been disclosed. SonicWall worked with Mandiant’s threat research team on its vulnerability response.
Read more about recent vulnerability disclosures
- July’s Patch Tuesday update includes critical fixes, but one well-known remote code execution bug might remain open for those with specific registry key settings.
- Microsoft has observed DEV-0322, the threat actor exploiting the SolarWinds Serv-U zero-day, ‘targeting entities in the US Defense Industrial Base Sector and software companies’.
- Microsoft’s July Patch Tuesday update fixes 117 vulnerabilities, 13 rated as critical and four already being actively exploited.